Re: Very Critical issue
- From: Sukhwinder Singh <SukhwinderSingh@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 29 Jan 2009 09:17:01 -0800
Dear Jorge,
Let me explain the whole setup to you. We have domain a.com which is spanned
across multiple Sites. Each site is having the Domain controller and the
Clients in the site are configured to go to local domain controllers for the
DNS query.
We have another domain b.com which is also spanned across multiple sites and
the clients are configured to go to local Domain Controller for DNS query. We
are migrating the b.com domain to the a.com as a.com is the parent domain for
the organisation and b.com is the domain for one of the division in
organisation.
Before migration we have created trust between both the domains and we have
created secondary zone for b.com in the root server of a.com and vise versa.
After the secondary zone is created we have transferred the zone from master
and created trust.
After we complete the domain migration for a branch in b.com and bring all
the computers to a.com domain we configure the clients in that branch to
point to Local domain controller for a.com in new domain.
As we are migrating all the users first, the file and other servers are
still there in old b.com domain. The users from the a.com are trying to
access file servers in b.com. The file servers in b.com are pointing to the
DNS servers of their domain.
This setup was working fine and users were able to access all the shared
drives but suddenly since Tuesday morning the issue started. We have done the
modification in file and registry permissions on last Thursday.
Hope I am able to clearify your doubts. Please let me know if you need any
information from my end.
Thanks
"Jorge Silva" wrote:
Ok,.
Since that you're able to recreate the trust that means that the DC that was
used to create the trust is able to communicate and validate the trust. Go
to each DC and make that they can validate the trust and that they can reach
the other DC in the other forest.
Now, are the clients using that same DC/DNS or are they querying a different
DC/DNS that may has issues in their DNS secondary Zone?
What changes did you made? When you did those changes, was at that time that
the clients started with issues when trying to access to the other servers
in the other forest? Did you enable any FW locally on the DCs?
Can you describe exactly how clients DNS are configured and how DC DNS are
configured for that Zone?
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Sukhwinder Singh" <SukhwinderSingh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:B77FE02D-5621-403A-9148-76E4F5D013E4@xxxxxxxxxxxxxxxx
Dear Jorge,
We have recreated and reloaded the secondary zones and created Trust again
which shows that the Secondary zones were getting transferred properly.
We have recently changed some of the File permissions and registry
permissions on the Domain controllers in the users domain as per the
procedure of hardening Windows 2003 servers. Can you help me to find if
the
problem happened due to those changes.
Thanks and Regards,
Sukhwinder Singh
"Jorge Silva" wrote:
Ok,
What are you saying... That after you create the stub zone the problem is
solved? If yes, that shows that you had DNS secondary zones outdated for
those DNS servers that were serving the clients request's. Remember that
secondary zones for domains that are outside of your forest need to be
explicitly authorized, if the zones were outdated that could be because
you
either lost the permissions to zone transfers "and warning logs will be
recorded at the DNS server" or some FW is looking the TCP port 53 that is
used for zone transfer.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Sukhwinder Singh" <SukhwinderSingh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:89B79680-2B71-4679-B9CD-4F874F4BC684@xxxxxxxxxxxxxxxx
Dear Jorge,
Even after changing the Time in both the Domains and synchronising the
issue
was not resolved.
We have deleted the secondary zones which were created for Trust
creation
and created the stub zones in place of that and configured the DNS to
replicate the stub zone to all Domain controllers after that the issue
is
resolved.
I need to find the Root Cause of the issue but not able to understand
what
was the issue as the trust was working fine since last 4 months and
users
were able to access all the shares. Suddenly on Monday morning the
issue
started. We have created Stub zone as a workaround but can someone help
me
to
get to the root of the issue.
I am in a real fix.
Please Help!!!!!!
Thanks and Regards,
Sukhwinder Singh
"Jorge Silva" wrote:
Correct, time is very important n AD environments to validate Kerberos
and
replication. Correct that and check if the same happens. Let's know
the
results.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Sukhwinder Singh" <SukhwinderSingh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in
message news:5724E9D1-5EEC-45BA-9070-BAA2A3984100@xxxxxxxxxxxxxxxx
Hi Jorge,
We do have WINS setup in both the domains. DNS is installed in all
the
DC's
and workstations are configured to connect to the local DNS servers
in
site.
When we Ping using netbios or host name we are getting proper
response.
We have found one more thing that after logging to PDC in a.com and
opening
dsa.msc when we are trying to connect to b.com domain we are getting
the
error
"windows cannot connect to the new domain no authority could be
contacted
for authentication"
We have checked and found that there is time difference of more than
5
mins
between both the domains.
Please confirm if the issue can happen due to time difference in
both
the
domains as it is more than 5 mins.
Sukhwinder Singh
Regards,
"Jorge Silva" wrote:
Hi
-Did you follow my last post?
-Do you have WINS? How DNS is configured in Workstations/Servers
and
DCS?
- If you ping that server using \\servername, what results do you
get?
and
if you ping using the FQDN \\servername.domain.com what results do
you
get?
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Sukhwinder Singh" <SukhwinderSingh@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote
in
message news:B99556BD-761C-4DA8-8B4A-3FDBD8B516EF@xxxxxxxxxxxxxxxx
Hi Jorge,
We have checked DNS and Domain functionality using DCDIAG AND
NETDIAG
and
could not find any error. In one of the servers the issue is
resolved
by
restarting the file server.
We have logged into another file server and checked the acl of
the
shared
folders. I was surprised to see that the acl contains some
unresolved
SID's
from the other domain. We have previously done security
translation
on
these
servers to add the users from both the domains.
The users from the domain in which the server is added are
showinf
fine
but
users from other domain are showing as unresolved SID's
Will there be any issue with secure channel. Kindly let me know
how
to
verify secure channel in windows 2000 file server.
"Jorge Silva" wrote:
Hi
This is generally caused by bad DNS configuration, make sure
that
BOTH
ends
can resolve eachother by DNS, then do the test using
\\servername.domain.com. Also check WINS (assuming different
subnets)
when
using \\servername instead of \\servername.domain.com.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Please no e-mails, any questions should be posted in the
NewsGroup
This posting is provided "AS IS" with no warranties, and confers
no
rights.
"Sukhwinder Singh" <SukhwinderSingh@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote
in
message
news:193C9E8A-E7EA-4B0A-AD78-64C8CC6E55E5@xxxxxxxxxxxxxxxx
Dear All,
We are facing serious issue in our Active Directory network.
We
have
2
forests and there is forest trust between both the forests.
There
is
a
file
server in domain a.com and the users are in domain b.com. When
the
users
are
trying to access the file server as \\servername they are
getting
the
error
as below
"\\servername is not accessible. You might not have permission
to
use
this
network resource. Contact the administrator of this server to
find
out
if
you
have access permissions.
There are currently no logon servers available to service the
logon
request."
This issue is very critical as no one is able to access the
shared
drives.
We are in the process of domain consolidation, so many of the
- References:
- Very Critical issue
- From: Sukhwinder Singh
- Re: Very Critical issue
- From: Jorge Silva
- Re: Very Critical issue
- From: Sukhwinder Singh
- Re: Very Critical issue
- From: Jorge Silva
- Re: Very Critical issue
- From: Sukhwinder Singh
- Re: Very Critical issue
- From: Jorge Silva
- Re: Very Critical issue
- From: Sukhwinder Singh
- Re: Very Critical issue
- From: Jorge Silva
- Re: Very Critical issue
- From: Sukhwinder Singh
- Re: Very Critical issue
- From: Jorge Silva
- Very Critical issue
- Prev by Date: Re: Very Critical issue
- Next by Date: Re: Win2k3 Event ID 1202
- Previous by thread: Re: Very Critical issue
- Next by thread: Domain Rename - It Worth it?
- Index(es):
Relevant Pages
|
